Skip to main content

7. Security Considerations

Trust and Authentication

  • Links inherit authenticity of their context
  • HTTP Link headers share authentication of message
  • In-content links have same security properties as content

Target Resource Security

  • Target IRIs may reference different security realms
  • Implementations should authenticate target separately
  • Don't automatically trust linked resources

Privacy Considerations

Information Disclosure

  • Links may reveal private information about resources
  • Relation types may expose resource structure
  • Consider privacy implications of link exposure

Tracking Concerns

  • Link following can be tracked
  • Implementations should respect privacy settings
  • Users should control automatic link dereferencing

Implementation Guidelines

Validation

  • Validate IRI syntax before dereferencing
  • Check for malformed or malicious IRIs
  • Sanitize user-provided relation types

Resource Access

  • Don't automatically dereference all links
  • Limit automatic access to trusted relations
  • Respect same-origin policy where applicable

Denial of Service

  • Limit number of links processed
  • Prevent circular link loops
  • Rate-limit link dereferencing

Key Principle: Links convey metadata about relationships, but don't imply trust in target resources.

Last updated on